Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Recomended B.W

hazem
Path Finder
‎08-20-2024 02:49 AM

Our deployment has indexers located in the main data center and multiple branches. We plan to deploy intermediate forwarders and Universal Forwarder (UF) agents in our remote branches to collect logs from security devices like firewalls and load balancers  .

 

What is the recommended bandwidth between the intermediate forwarders and indexers?

What is the recommended bandwidth between the UF agents and indexers?"

0 Karma
Reply

hazem
Path Finder
‎08-20-2024 03:23 AM

thank you @gcusello  for your reply

i need to clarify that we are in setting architecture phase and our customer  asked me the below questions and I need to reply with specific recommended B/W

 

What is the recommended bandwidth between intermediate forwarders, heavy-weight forwarders, and indexers?

What is the recommended bandwidth between the UF agents and indexers?"

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-20-2024 04:45 AM

There is no single good answer to such question. It all depends on your data input. It is obviously an overkill to have a 10G uplink for a single or just a bunch of UFs on a fairly unused servers. But on the other hand, if you have a site with plethora of fairly active nodes, even this 10G hose might not be sufficient (but then a single IF will most surely also not be enough).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-20-2024 03:28 AM

Hi @hazem ,

as I said, the answer is related to the bandwidth you have: There isn't a recommended value: the highest you can!

As I said, between Intermediate UF and IDX, you must have a large bandwidth to avoid queues.You can check queues with my search.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-20-2024 03:10 AM

Hi @hazem ,

it depends on how many logs you have to transmit: e.g. a Domain Controller has to transmit more logs than a server, if you have application logs they must consider them.

Anyway, between intermediate UFs and Indexer, I hint to avoid limits.

You can configure the max throughtput  suing the maxKBps parameter on the UFs.

My hint is to leave the default values, changing only maxKBps for intermediate UFs, and analyzing both if you have netweork congestions and your Indexers can index all logs with an acceptable delay.

Another analysis to perform is the presence of queues, using this search:

index=_internal  source=*metrics.log sourcetype=splunkd group=queue 
| eval name=case(name=="aggqueue","2 - Aggregation Queue",
 name=="indexqueue", "4 - Indexing Queue",
 name=="parsingqueue", "1 - Parsing Queue",
 name=="typingqueue", "3 - Typing Queue",
 name=="splunktcpin", "0 - TCP In Queue",
 name=="tcpin_cooked_pqueue", "0 - TCP In Queue") 
| eval max=if(isnotnull(max_size_kb),max_size_kb,max_size) 
| eval curr=if(isnotnull(current_size_kb),current_size_kb,current_size) 
| eval fill_perc=round((curr/max)*100,2) 
| bin _time span=1m
| stats Median(fill_perc) AS "fill_percentage" perc90(fill_perc) AS "90_perc" max(max) AS max max(curr) AS curr by host, _time, name 
| where (fill_percentage>70 AND name!="4 - Indexing Queue") OR (fill_percentage>70 AND name="4 - Indexing Queue")
| sort -_time

if you have queues, you can modify the maxSize parameter for the queues and the maxKBps.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...